Last year hackers made headlines when AT&T announced to a security breach that had allowed hackers to access the personal data from 114,000 iPad 3G users. On Thursday, 26-year old Daniel Spitler from San Francisco pleaded guilty to two crimes: conspiracy to gain unauthorized access to computers and identity theft. Spitler faces up to 10 years in prison — five years for each count, according to The Wall Street Journal. “Computer hackers are exacting an increasing toll on our society, damaging individuals and organizations to gain notoriety for themselves,” said U.S. Attorney Paul Fishman in New Jersey. “Daniel Spitler’s guilty plea is a timely reminder of the consequences of treating criminal activity as a competitive sport.” Fishman’s statements are clearly also aimed at other hackers; LulzSec and Anonymous, two hacking groups, recently announced that they have joined forces to attack the U.S. government. That’s in addition to recent hacks on Sony — which LulzSec took responsibility for — and Citigroup. Spitler will be sentenced on September 28th.

Read

Remember Citigroup’s recent security breach? The firm originally said that 200,000 accounts — 1% of its customers — were compromised, but now Citi is going on record and saying that hackers gained access to a total of “360,083 North America Citi-branded credit cards.” Unfortunately, the company hasn’t provided any details on how the attack occurred, or who was behind it; the infamous hacking group LulzSec, which claimed responsibility for a number of recent high-profile targets including Sony, hasn’t yet mentioned any involvement. If you’re an optimist, the good news is that Citigroup says the number of active accounts affected is actually below the 360,000 figure — because of subsequent account closures — and that the hackers didn’t steal info enough to actually use the credit card numbers. 217,000 customers have already been provided with replacement cards, and California residents were hit the hardest — 80,000 of the numbers stolen were from that state.

Read

Capcom senior vice president Christian Svensson has voiced his opinion over the Sony’s massive security breach on the Capcom forums. “As an executive responsible for running a business, the resulting outage [is] obviously costing us hundreds of thousands, if not millions of dollars in revenue that were planned for within our budget,” Svensson said in a public forum response. “These are funds we rely on to bring new games to market for our fans.” Capcom has a storefront that offers users the option to purchase extra game content on the PlayStation Network. Svenesson clarified in another post and added that he — and perhaps Capcom, too — is more frustrated with the hackers than with Sony, which he views as the victim.

[Via gamrFeed]

Read

On Tuesday, Sony issued an update explaining the recent PlayStation Network and Qriocity outages. The company said it has discovered that between April 17th and April 19th, someone broke into its network and stole user information. In an effort to stop the security breach, Sony temporarily killed access to its PlayStation Network and Qriocity services, hired a security firm to investigate, and started beefing up its security measures. However, the leaked information may be alarming to PlayStation network users. Here’s part of Sony’s statement:

We believe that an unauthorized person has obtained the following information that you provided: name, address (city, state, zip), country, email address, birthdate, PlayStation Network/Qriocity password and login, and handle/PSN online ID. It is also possible that your profile data, including purchase history and billing address (city, state, zip), and your PlayStation Network/Qriocity password security answers may have been obtained.

Sony said that it doesn’t think credit card data was taken, but that it will not rule out the possibility, and says that it’s possible credit card numbers – excluding the security codes – may have been obtained by the intruders. The firm advises that its customers “remain vigilant” by closely monitoring credit statements. Sony says the services will be reactivated as soon as possible and that customers can dial 1-800-345-7669 with any questions. Hit the jump for Sony’s official statement.

Valued PlayStation Network/Qriocity Customer:
We have discovered that between April 17 and April 19, 2011, certain PlayStation Network and Qriocity service user account information was compromised in connection with an illegal and unauthorized intrusion into our network. In response to this intrusion, we have:

1. Temporarily turned off PlayStation Network and Qriocity services;
2. Engaged an outside, recognized security firm to conduct a full and complete investigation into what happened; and
3. Quickly taken steps to enhance security and strengthen our network infrastructure by re-building our system to provide you with greater protection of your personal information.

We greatly appreciate your patience, understanding and goodwill as we do whatever it takes to resolve these issues as quickly and efficiently as practicable.

Although we are still investigating the details of this incident, we believe that an unauthorized person has obtained the following information that you provided: name, address (city, state, zip), country, email address, birthdate, PlayStation Network/Qriocity password and login, and handle/PSN online ID. It is also possible that your profile data, including purchase history and billing address (city, state, zip), and your PlayStation Network/Qriocity password security answers may have been obtained. If you have authorized a sub-account for your dependent, the same data with respect to your dependent may have been obtained. While there is no evidence at this time that credit card data was taken, we cannot rule out the possibility. If you have provided your credit card data through PlayStation Network or Qriocity, out of an abundance of caution we are advising you that your credit card number (excluding security code) and expiration date may have been obtained.

For your security, we encourage you to be especially aware of email, telephone, and postal mail scams that ask for personal or sensitive information. Sony will not contact you in any way, including by email, asking for your credit card number, social security number or other personally identifiable information. If you are asked for this information, you can be confident Sony is not the entity asking. When the PlayStation Network and Qriocity services are fully restored, we strongly recommend that you log on and change your password. Additionally, if you use your PlayStation Network or Qriocity user name or password for other unrelated services or accounts, we strongly recommend that you change them, as well.

To protect against possible identity theft or other financial loss, we encourage you to remain vigilant, to review your account statements and to monitor your credit reports. We are providing the following information for those who wish to consider it:

U.S. residents are entitled under U.S. law to one free credit report annually from each of the three major credit bureaus. To order your free credit report, visit www.annualcreditreport.com or call toll-free (877) 322-8228.

We have also provided names and contact information for the three major U.S. credit bureaus below. At no charge, U.S. residents can have these credit bureaus place a “fraud alert” on your file that alerts creditors to take additional steps to verify your identity prior to granting credit in your name. This service can make it more difficult for someone to get credit in your name. Note, however, that because it tells creditors to follow certain procedures to protect you, it also may delay your ability to obtain credit while the agency verifies your identity. As soon as one credit bureau confirms your fraud alert, the others are notified to place fraud alerts on your file. Should you wish to place a fraud alert, or should you have any questions regarding your credit report, please contact any one of the agencies listed below.

Experian: 888-397-3742; www.experian.com; P.O. Box 9532, Allen, TX 75013
Equifax: 800-525-6285; www.equifax.com; P.O. Box 740241, Atlanta, GA 30374-0241
TransUnion: 800-680-7289; www.transunion.com; Fraud Victim Assistance Division, P.O. Box 6790, Fullerton, CA 92834-6790

You may wish to visit the web site of the U.S. Federal Trade Commission at www.consumer.gov/idtheft or reach the FTC at 1-877-382-4357 or 600 Pennsylvania Avenue, NW, Washington, DC 20580 for further information about how to protect yourself from identity theft. Your state Attorney General may also have advice on preventing identity theft, and you should report instances of known or suspected identity theft to law enforcement, your State Attorney General, and the FTC. For North Carolina residents, the Attorney General can be contacted at 9001 Mail Service Center, Raleigh, NC 27699-9001; telephone (877) 566-7226; or www.ncdoj.gov. For Maryland residents, the Attorney General can be contacted at 200 St. Paul Place, 16th Floor, Baltimore, MD 21202; telephone: (888) 743-0023; or www.oag.state.md.us.

We thank you for your patience as we complete our investigation of this incident, and we regret any inconvenience. Our teams are working around the clock on this, and services will be restored as soon as possible. Sony takes information protection very seriously and will continue to work to ensure that additional measures are taken to protect personally identifiable information. Providing quality and secure entertainment services to our customers is our utmost priority. Please contact us at 1-800-345-7669 should you have any additional questions.

Sincerely,
Sony Computer Entertainment and Sony Network Entertainment

[Via Tech Crunch]

Read

In what may be one of the largest digital security breaches in United States history, millions of customer email addresses have been exposed as a result of a breach at Epsilon. BGR reported on Saturday that TiVo customer email adresses had been compromised as a result of unauthorized access to online marketing company Epsilon’s servers. Following that report, several other companies have come forward to confirm that their customers’ email adresses may have been exposed. Those potentially affected include customers enrolled in Best Buy’s Reward Zone program as well as customers of Citigroup, J.P. Morgan Chase, TiVo, Barclays, Walgreens, U.S. Bancorp, Capital One, HSN and College Board, which represents almost 6,000 different U.S. colleges and universities. “A subset of Epsilon clients’ customer data were exposed by an unauthorized entry into Epsilon’s email system,” Epsilon said in a statement last week. The company insists that only names and email addresses may have been compromised, and that sensitive information such as social security numbers, credit card numbers and passwords were not accessed.

While the fallout continues over last week’s security breach which saw hackers gain access to the email addresses of some 114,000 AT&T iPad 3G customers continues, AT&T’s VP of public policy and Chief Privacy Officer Dorothy Attwood today sent out an email to everyone of AT&T’s iPad 3G data plan subscribers to explain the situation. While email addresses were obtained by the hackers, Attwood contends that the hackers were unable to access more critical things such as account passwords, AT&T’s network, or user’s iPads. Attwood also said that as soon as AT&T learnt of the hack on June 7th, it took swift action to prevent any further unauthorized exposure of customer email addresses” and patched up the hole which made the hack possible “within hours.” Of course this raises the whole question as to why it took AT&T six days to notify its customers that hackers had gained control of some of their personal information, but we imagine the FBI’s investigation into the matter might help clear some things up. You know, that or the surely dozens of lawsuits that are going to be filed over the matter. Hit up the jump to check out the email in its entirety.

Thanks, Adam!

And here comes the FBI. Speaking to Wall Street Journal, an FBI spokesperson confirmed that the FBI has opened an investigation into the security breach which saw the confidential information of some 114,067 iPad 3G owners being retrieved. Despite the claims of Gawker, the site which broke the story, AT&T contends that the issue had been discovered and fixed the day before the story broke. Although security experts claim there it’s unlikely that further harm will come from the leak, there is still the off chance that the email addresses — some of which belong to high level members of the government and military — could fall into the wrong hands of an even worse group of people and become open game for hackers.

Read

Um, wow. Gawker revealed today that a  group of hackers from Goatse Security (no joke) were recently able to breach AT&T’s servers and obtain confidential user info on a significant amount of AT&T’s iPad 3G users. AT&T eventually patched up the hole in its system after being informed of its existance by Goatse Security, but that was after the confidential information such as email addresses of an estimated 114,067 iPad 3G users — including top level government officials, high-ranking military officers, and Fortune 500 CEOs — were exposed. Here’s how the data was obtained.

When provided with an ICC-ID as part of an HTTP request, the script would return the associated email address, in what was apparently intended to be an AJAX-style response within a Web application. The security researchers were able to guess a large swath of ICC IDs by looking at known iPad 3G ICC IDs, some of which are shown in pictures posted by gadget enthusiasts to Flickr and other internet sites, and which can also be obtained through friendly associates who own iPads and are willing to share their information, available within the iPad “Settings” application.

To make AT&T’s servers respond, the security group merely had to send an iPad-style “User agent” header in their Web request. Such headers identify users’ browser types to websites.

The group wrote a PHP script to automate the harvesting of data. Since a member of the group tells us the script was shared with third-parties prior to AT&T closing the security hole, it’s not known exactly whose hands the exploit fell into and what those people did with the names they obtained. A member tells us it’s likely many accounts beyond the 114,000 have been compromised.

It goes without saying that this is an incredibly serious issue, and is one that most definitely gain more exposure over the coming days. In some ways, we have to wonder what is more concerning: the fact that people outside of the Goatse Security are believed to have accessed the information, or that AT&T knew this happened and did not fess up. Either way, we know which one is the least surprising.

It’s not known whether or not Apple was ever made aware of the situation. Both companies have declined to comment on the matter.

Read

Following yesterday’s news of a possible security breach at T-Mobile, the carrier has confirmed today it was indeed a victim of data theft. According to the company, internal information posted on the Internet by hackers was authentic. T-Mobile also claims however, that the stolen data does not appear to jeopardize its customers.

Regarding the recent claim on a Web site, we’ve identified the document from which information was copied and believe possession of this alone is not enough to cause harm to our customers.

A bit PR-ish, considering the hackers claim to have obtained several confidential documents along with financial and database data. The unnamed group first tried to sell said information to T-Mobile competitors and when that didn’t work they offered the data up to the highest bidder. Whether or not a sale has taken place is unclear for the time being.

Thanks, Chris!

Read